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Introduction 


Going beyond the merely digital trails left by cyberattacks 
and delving deeper, akin to peering behind the curtains, to 
comprehend the sequence of events that culminate in a 
breach. 

The act of cognitive hacking constitutes a form of 
cyberattacks that hinge on the manipulation of human 
perceptions and their subsequent behavior for its success. 
This genre of attack issoften encompassed by terms such as 
phishing, spear-phishing, and social engineering. We are 
going a step further from typical social engineering into 
Cognitive Security (CogSec). 


A quick clarification regarding the most commonly misused 
term in cybersecurity “Hacker”. We can thank the FBI for this 
confusion, as it was first reported by the FBI in the 1980 
during NCSS breach investigation report.f2] [10] 

Hackers are technical skilled resourceful computer 
programmers, interested in testing into the defenses of 
networks and computers simply to prove it could be done, 
or to better understand and decipher its technologies. 


Robust Yet Fragile or Robust Not Fragile 


À common theme in cybersecurity weaknesses points to 
systems and infrastructures complexity. As firms layer 
policies and security infrastructure in a labyrinth designed to 
create what many call the (M & M Defense), hard on the 
outside and soft in the center. 


The mass migration to the cloud hasn’t changed this concept, 
which focus only on external threat vectors, ignoring internal 
threats (insider threat).1]2] 

The predicted *Cyber Pearl Harbor already happened, 
triggering a complete change in the cybersecurity literature. 
Changes like “Trust but Verify” to “Never Trust Always Verify” 
hinting to the ZeroTrust principles. And accepting that the 
Always Prevent never worked, establishing a Protect, Detect, 
Respond framework. The language of cyber risk is a key 
indicator of the cyber maturity-of any cybersecurity program. 
Cyber assurance can be derived only from a robust 
quantitative and qualitative risk analysis credible data about 
cyber risks, assets, infrastructure, and people: That takes time 
to properlÿädevelop and implement giving us a complete 
visibility, over this complicated threatlandscape. 


Simplicity requires a more precise vision for cybersecurity. 
Automation and consolidation are two valid ways to simplify 
network security policy management and reduce the risk of 
misconfiguration.[2] 

The more complex your network and infrastructure is the 
more vulnerable it becomes. Doyle introduced the concept of 
the Robust Yet Fragile (RYF) paradigm to explain the five 
components of network design used to build a robust system. 
Each design component is built on the concept of adding 
robustness to networks to handle today's evolving business 
needs. Reliability is robustness to component failures. 
Efficiency is robustness to resource scarcity. 


*The term “Cyber Pearl Harbor” is attributed to former US Defense Secretary Leon Panetta. 4 


Scalability is robustness to changes in the size and 
complexity of the system as a whole. Modularity is 
robustness to structure component rearrangements. 
Evolvability is robustness of lineages to changes on long 
timescales.[3]2] 
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The shift from robust yet fragile, to being secure because 
you are robust is one of the changes that occurred within 
the cybersecurity doctrines. Given that it's impossible to 
protect against all new cyberattacks, it has become critical 
for companies to reduce the impact of cyber breaches by 
focusing on cyber resilience. A cyber-resilient company that 
rapidly regains its performance capabilities after a shock 
operates on 4 distinct time scales (Anticipation, Absorption, 
Responsiveness, and Shaping) using 7 adaptive design 
principles ( Prudence, Redundancy, Diversity, Modularity, 
Adaptation, Embeddedness, and Reimagination). 14] 


Resilient company 


Nonresilient company 
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Murphy's Law state the formulation, “Anything that can go 
wrong Will go wrong”. That is the principle of ; 
which is the anticipation before any cyber breach. Not only 
anticipate on known cyberthreats but also on how to 
respond and recover if systems are disrupted by 
cyberattacks not yet invented. 
In the Absorption phase, the focus is on reducing the 
immediate impact of the breach. By using 3 principles, 
using multiple data centers, cloud instances, 
backups, load balancers. by harnessing the power 
of heterogeneity in people, process, and technology, which 
is a challenge balancing between efficiency and resiliency,. 
by isolating compromised systems from healthy 
systems and substituting them with the healthy 
“uncompromised systems” to perform critical functions. 


In the Responsiveness phase, we reduce the duration of the 
breach using 2 principles of Adaptations and 
Embeddedness. Adapting to cyberattacks by learning to 
always enhance our defense cycles, continuously gathering 
cyber threat intelligence, and put them into good use. 
Embracing the principle that no system or organization is an 
island, supply chain cyber vulnerabilities are a major and a 
real concern, the 2020 SolarWindés is a great example. 
Reimagination is how resilient companies increases their 
future resilience, they use cyber breaches as a stimulus to 
reimage how to make their operations more robust, secure 
and'efficient. [4] 


TheM&M S ES 


Going back to the M & M Defense, or the false sense of 
security which paint us a picture of the Maginot fortified line 
of defense. The Maginot Line was named for a line of 
fortifications deployed to slow German attacks on France. 
Despite its strength and complex design, the line was unable 
to prevent the German invasion who entered France via 
Belgium. 111] 


| am going to use Conti Ransomware as an example to better 
explain and draw a practical picture. 

Conti is considered a ransomware-as-a-service (RaaS) model 
ransomware variant, there are variations in its structure that 
differentiates it from a typical affiliate model in some 
instances. 


There main point of access was mostly through spear- 
phishing campaigns a cognitive attack. In most cases, 
utilized a malicious JavaScript code that would first drop a 
malware loader into the infrastructure using either 7rickBot, 
IcedID, or BazarLoader. 

Conti uses a range of different scripts to do reconnaissance, 
such as nltest, whoami, and net.exe. 

Then uses Cobalt Strike to escalate privileges to the local 
system andset up communication with C2 servers. They also 
used tools such as Kerberoast and Mimikatz to collect admin 
hashes or extract passwords. 

Once that is done, the attackers run the final payload, which 
will stop a lot of different built-in services that can have 
locks on différent files and performs the encryption on all 
targeted files adding “ .CONTI “extension after encrypting 
them. | 


We won't be able to fully explain what methods and 
architecture that could be used to defend against these 
attack vectors, as this will take us books to explain. 

Few principles and strategies such as Cyber Awareness and 
Enablement also known as Layer 8 defense, ZeroTrust 
Architecture “remember ZeroTrust is based on principles not 
tools”, and defense-in-depth strategy. 


Simplicity is Everything 


"Technology alone is not enough. Technology married with 
the liberal arts, married with humanities is what yields us 
the result that makes our heart sing.” Steve Jobs 


Jobs developed a template for thinking about enterprise 
models when he created Apple’s ecosystem. Jobs referred to 
how humans interact with technology, using simplicity as its 
secret sauce Apple has successfully created a secure and 
robust ecosystem, without the rush to capture the market. 
Jobs understood how cognition operates on the intuition 
(heuristics and biases) and analytical concepts that require 
more time and energy. |2] 

That rush to market is what keeps other vendors failing in 
their delivery process. Making their products untrustworthy, 
vulnerable, and far from being resilient. 


One of the big challenges within cognitive hacking revolves 
around the issue of TRUST. The Cyber Trust or “/ntegrity” 
focuses on developing systems that are predictable, 
accountable, and with faster recovery time from any 
cyberattacks . Systems requires better situational awareness 
regarding the existence of a threat as a starting point. 
Resilience by Design systems that will recovery to a pre- 
attack state in seconds, without any restoration is already 
developed and getting traction. [5]j6] 


The success of cyber criminals in most of the times is of our 
own doing, not because of complex sophisticated research 
they conducted finding a zero-day vulnerability. It is because 
that rush to market with a broken complex DevSecOps 
processes, which is unfollowed most of the time or not even 
in existence. 


The Cost of Cyber Risks 


When it comes to bank accounts fraudulent transactions, 
individuals enjoy a relatively good level of protection. The 
Electronic Fund Transfer Act's Regulation mandates that, in 
most scenarios, the responsibility lies with the banks. 
However, surprising to many small businesses, banks are not 
held accountable for any lost funds rising from cybersecurity 
breaches. [7] 


This is where the insurance companies stepped in, to 
provide coverage with certain conditions attached. 
Requiring.any business taking on the insurance policy to 
participate in risk assessments, training sessions, and 
cybersecurity audits . These models of shared risk comes 
with inherent advantages and disadvantages. Nonetheless, a 
model wherein insurers collaborate in risk sharing with small 
businesses through a comprehensive program could prove 
exceptionally appealing to many businesses. Remember risk 
sharing doesn't eliminate the liability for the business in 
anyway or shape. 


Cyber risk is three dimensional in a digital sense. The first 
dimension is advanced technology, followed by cognitive 
hacks, with the end result being real collateral damage in 
time, expense, and reputation.[2] 
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The submergence of semantic attacks within cognitive 
hacking stand as two of the most frequently employed 
methods within the cybercriminals arsenals. Nevertheless, 
these are not the sole tools at their disposal. 121] Heuristics, 
Semantic Architecture, Cognitive Bias, and Ontology 
Mapping are some of the disciplines already in use today. 


Physical and syntactical attacks occurwithout the 
intervention of any human interaction. While cognitive hack 
simplicity of approach and simplicity of execution requires a 
changeñn the user behavior by introducing misinformation 
that violates the integrity of the overall system. 

MITRE Enterprise matrices.classify some of the semantic 


attacks under the Reconnaissance and Initial Access Tactics. 
[13] 
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Figure 1. The sequencing of a cognitive attack 
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À cognitive attack requires some changes in users behavior, 
accomplished by manipulating their perception of reality. 
The attack's desired outcome cannot be achieved unless 
users change their behaviors in some way. Users modified 
actions are a critical link in the sequencing of a cognitive 
attack. Cognitive hacking differs from social engineering, in 
which involves a cybercriminal psychological tricking of 
legitimate computer system users to gain information e.g., 
passwords,tolaunch a syntactic attack on the system. 112] 
Deep fake and cyber déception techniques falls under the 
umbrella of cognitive attacks in the Intelligence and Security 
Informatics (IS). 


Cognitive decision science is thescientific grounding for the 
development of Machine kearning (ML) and Artificial 
Intelligence (Al) in cybersecurity. 

According to SAS Institute of data science technology, there 
are four types of machine learning algorithms organized 
around a taxonomy used to produce a desired outcome for 
each type. 


1- Supervised Learning 

2 - Unsupervised Learning 
3- Semisupervised Learning 
4 - Reinforcement Learning. 


Supervised learning is the most common type used by 70 
percent of Machine Learning algorithms. 
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Cognitive science enables security professionals to build 
trust models using supervised ML capabilities into 
applications and anticipate errors in human judgment. 
Cyber intelligence guided by a cognitive risk framework for 
cybersecurity provides a path to an enhanced cybersecurity 
program. [2] 


The science of choice,.is more than just thinking outside the 
box. It's the concepts for completely redesigning the box in 
new ways that have traditionally limited progress in risk 
management. 

Theïintertemporal choice heavily relies on an individual's 
capacity to comprehend the most advantageous decisions 
through thétapplication of various methodologies that 
assess the balance between potential gains and risks 
inherent in choices. This concept assumes that individuals 
possessing adept analytical abilities, such as Bayesian 
probability understanding, will exhibit lower discount rates 
and consequently make decisions that are more well- 
informed. Nevertheless, it's essential to recognize that 
external factors that evolve over time can still exert an 
influence on the decision-making process. [15] 


Consider the scale of decisions undertaken daily by each 
member of your organization. The caliber of these choices 
resonates genuinely within the company, whether these 
ramifications are quantified. Each decision within the 
organization contributes to a spectrum of both favorable 
and adverse consequences. 
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The realm of cognitive security, along with the foundational 
research that underpins its exploration, is driving the 
emergence of novel technologies aimed at handling not only 
cybersecurity but also a diverse array of other risks. 


Cognitive risk management for cybersecurity (CRFC) 
incorporates human behavior into technology, raising 
situational awareness, enhancing compliance, facilitating 
decision making, and delivering offensive-and defensive 
capabilities to address enterprise risks-inclusive of cyber 
risks. Cognitive risk managementis the bridge that prepares 
the path toward an enhanced cybersecurity program. 
Cognitive Security-(CogSec) is one of many disciplines IT and 
OT securitÿmrisk management, and compliance professionals 
must begin to understand.and incorporate into a cognitive 
risk management program. 2] 


According to a CyberEdge Group cyberthreat report, 
organizations that develop cognitive risk solutions to reduce 
the burden (cognitive load) on employees improve 
compliance, with internal controls freeing the firm to 
leverage untapped employee engagement in more 
productive ways, making compliance as intuitive as humanly 
possible. 


The psychology of risk perception is complex. Empirical 
studies of probability assessment and decision making under 
uncertainty have discovered the use of mental strategies, or 
heuristics, to make sense of uncertainty in a world in which 
imperfect information fails to provide accurate solutions. 
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When decisions fall outside of normal comfort zones or are 
beyond the scope of the aptitude of the decision makers, 
many simplify the problem in a process called “satisficing” to 
solve a complex problem with a simpler solution than what 
is needed to address the challenge fully. 12] 


A cognitive risk framework is fundamental to the integration 
of existing internal controls, risk management practice, 
cognitive security technology, and the people who are 
responsible for execüting the program components that 
make up enterprise risk management. Cognitive risk 
framework fills the missing gap in today’scybersecurity 
programs whenit comes to choices and decisions. 15] 

A functioning Cognitive risk framework for cybersecurity 
provides guidance for the development of a CogSec 
response that is three dimensional instead of a one- 
dimensional defensive posture. 12] 
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